Cybersecurity Balancing Act

Government IT pros struggle to meet mandates as computer system threats keep growing.
SANS Institute director Alan Paller says "a lot of people are looking for silver bullets, but they're not doing the management it takes to run a secure system." Government cybersecurity needs to be as much about best practices in software development, system configuration, and monitoring as it is about products and specs, he says.

While FISMA-compliance grades are often high enough, critics say the law is more of a check-box exercise than one that promotes operational excellence. The Government Accountability Office has found that while most agencies comply with FISMA, the effectiveness of those efforts isn't clear. The GAO will release a report on that later this year.

Bruce Brody, VP of cybersecurity at the Analysis Group and a former chief information security officer of two federal agencies, is among the critics. While he applauds FISMA's ability to bring cybersecurity to the fore, he notes that 10% of FISMA grades are simply an indication that employees are getting annual cybersecurity training, and that the process for certifying and accrediting systems as secure often ignores legacy systems.

Sen. Tom Carper, D-Del., is working on a bill to revise FISMA by mandating continuous security monitoring and measurement of the effectiveness of agencies' cybersecurity processes, including identification of weaknesses. A similar version was approved by the Senate Committee on Homeland Security and Governmental Affairs during the last session of Congress. Currently, continuous monitoring is mandated by regulations layered on top of FISMA, but there's not much standardization in how the monitoring is carried out, and it's done by regulation rather than force of congressional legislation.

Under the draft bill, agencies would have to "detect, monitor, correlate, and analyze" the security of any network-connected system in an automated and continuous fashion. Any system that doesn't meet security standards would require remediation before being allowed to connect to the network.

Carper's bill may become part of broader legislation that would include proposed legislation from John D. Rockefeller IV, D-W.V., and Olympia Snowe, R-Maine, according to a spokeswoman in Carper's office. Those bills call for, among other things, more government-wide structures to be put in place overseeing cybersecurity, including the creation of a presidential adviser. "Until we have an office where 'the buck stops here,' we're still going to be operating in a spaghetti bowl model," the NSA's Maconachy says.

The Carper bill would give more weight to government-wide standards being developed by NIST, and those efforts could have a secondary effect of creating a more consistent security posture across government. For example, NIST's Security Content Automation Protocol, a standard way of reading security settings and configurations, was used by the Office of Management and Budget to create the Federal Desktop Core Configuration, a recommended configuration for government computers running Windows.

No Secrets
One gap that can't be solved through technology alone is the need for sharing of best practices and threat information. As part of a project called Einstein, US-CERT has begun monitoring traffic on federal networks and reporting attacks and anomalous activity to the agencies. However, without Top Secret-cleared personnel, US-CERT is sometimes unable to share detailed information about attacks coming from classified sources or using classified methods. CNCI will mandate agencies have 24/7 security operations centers with analysts who have security clearances.

5 Security Tips
1. Inventory authorized
and unauthorized hardware and software and enforce software whitelists
2. Implement secure configurations
for hardware and software on PCs and servers
3. Implement secure configurations
for all network devices
4. Carry out boundary defense,
including intrusion-detection systems, authentication, and occasional penetration tests
5. Monitor
and analyze security logs
Source: SANS Institute
The new Carper bill, the Rockefeller-Snowe legislation, and the CNCI all encourage stronger public-private cooperation in strengthening government cybersecurity. Maconachy says there are plenty of private-sector practices, such as ISO 27002 and the recently released Consensus Audit Guidelines created with public and private input, that the government could implement. A forthcoming GAO report will recommend some security metrics and controls used in the private sector for government adoption, and NIST is working to revise a set of guidelines called Special Publication 800-53 that align well with the Consensus Audit Guidelines.

The Carper bill explicitly lays out the role of government chief information security officers in enforcing compliance with FISMA. They also will be tasked with documenting security controls, reporting incidents, conducting periodic risk assessments, and, importantly, knocking down silos by directing cybersecurity in any subordinate agency. Today, an agency isn't required to have one CISO accountable for all of its cybersecurity efforts. Carper's bill also would set up a council of government CISOs to share best practices and develop standard performance measurements.

One way to audit the effectiveness of government cybersecurity measures is a "red team approach," where a group of white-hat hackers from NSA or elsewhere are enlisted to penetrate government systems or carry out fake phishing attacks.

According to SANS's Paller, one agency CISO recently did that, asking NSA to identify every place where hackers could break into his networks, and he's now monitoring progress as the holes get fixed. The agency is also implementing the Consensus Audit Guidelines, assigning threat levels to each of its 20 recommended controls.

It's an example of how, even as they keep an eye on new legislation and regulations, government cybersecurity pros can take action. They must, because threats won't wait.